Changing the ESXi certificate mode

Photo by Nick Fewings on Unsplash

It’s bugged me for some time that changing certificates from the default, self-signed ones in ESXi was so difficult. Managing certificates isn’t usually easy anyway, but I had avoided changing mine in my Homelab because it was a pain.

With vSphere 8.0 Update 3 the vSphere client can be used to manage certificates for ESXi hosts. It’s not something I’d want to do at scale without some sort of automation, but in my Homelab it was a matter of minutes’ work.

The first step is to change the ESXI certificate mode, which is documented in the VMware docs. In the figure below you can see that I changed the setting required per the documentation.

Screenshot of the vCenter setting changed per the documentation — Figure 1: Configuration of the vCenter’s Advanced Settings.

Next, and finally, you follow the steps in another related documentation page to change the certificate for each ESXi host. As I use HashiCorp Vault for my PKI, copying in the Certificate Signing Request (CSR) was a doddle. The figure below shows Vault issuing a newly minted certificate for me.

Screenshot of a newly minted SSL certificate for an ESXi host — Figure 2: A new certificate is issued from the CSR.

I did override the Common Name on the issued certificate as the CSR generated by the vSphere client had the CN as the hostname, and not the FQDN of the host. This isn’t a problem as the CSR puts the hostname and the FQDN in as Subject Alternate Names (SANs). It’s just my preference.

In the figure below, you can see that the new certificate is picked up and applied to the ESXi host.